Helm chart
This reference is generated from the Tetragon Helm chart values.
The Tetragon Helm chart source is available under github.io/cilium/tetragon/install/kubernetes and is distributed from the Cilium helm charts repository helm.cilium.io.
To deploy Tetragon using this Helm chart you can run the following commands:
helm repo add cilium https://helm.cilium.io
helm repo update
helm install tetragon cilium/tetragon -n kube-system
To use the values available, with helm install
or helm upgrade
, use --set key=value
.
Values
Key | Type | Default | Description |
---|---|---|---|
affinity | object | {} | |
daemonSetAnnotations | object | {} | |
daemonSetLabelsOverride | object | {} | |
dnsPolicy | string | "Default" | |
enabled | bool | true | Global settings |
export | object | {"filenames":["tetragon.log"],"mode":"stdout","resources":{},"securityContext":{},"stdout":{"argsOverride":[],"commandOverride":[],"enabledArgs":true,"enabledCommand":true,"extraEnv":[],"extraVolumeMounts":[],"image":{"override":null,"repository":"quay.io/cilium/hubble-export-stdout","tag":"v1.0.3"}}} | Tetragon event settings |
exportDirectory | string | "/var/run/cilium/tetragon" | |
exportFileCreationInterval | string | "120s" | |
extraConfigmapMounts | list | [] | |
extraHostPathMounts | list | [] | |
extraVolumes | list | [] | |
hostNetwork | bool | true | |
imagePullPolicy | string | "IfNotPresent" | |
imagePullSecrets | list | [] | |
nodeSelector | object | {} | |
podAnnotations | object | {} | |
podLabels | object | {} | |
podLabelsOverride | object | {} | |
podSecurityContext | object | {} | |
priorityClassName | string | "" | Tetragon agent settings |
selectorLabelsOverride | object | {} | |
serviceAccount.annotations | object | {} | |
serviceAccount.create | bool | true | |
serviceAccount.name | string | "" | |
serviceLabelsOverride | object | {} | |
tetragon.argsOverride | list | [] | |
tetragon.btf | string | "" | |
tetragon.commandOverride | list | [] | |
tetragon.enableK8sAPI | bool | true | |
tetragon.enableMsgHandlingLatency | bool | false | Enable latency monitoring in message handling |
tetragon.enablePolicyFilter | bool | true | Enable policy filter. This is required for K8s namespace and pod-label filtering. |
tetragon.enablePolicyFilterDebug | bool | false | Enable policy filter debug messages. |
tetragon.enableProcessCred | bool | false | |
tetragon.enableProcessNs | bool | false | |
tetragon.enabled | bool | true | |
tetragon.exportAllowList | string | "{\"event_set\":[\"PROCESS_EXEC\", \"PROCESS_EXIT\", \"PROCESS_KPROBE\", \"PROCESS_UPROBE\", \"PROCESS_TRACEPOINT\"]}" | |
tetragon.exportDenyList | string | "{\"health_check\":true}\n{\"namespace\":[\"\", \"cilium\", \"kube-system\"]}" | |
tetragon.exportFileCompress | bool | false | |
tetragon.exportFileMaxBackups | int | 5 | |
tetragon.exportFileMaxSizeMB | int | 10 | |
tetragon.exportFilePerm | string | "600" | |
tetragon.exportFilename | string | "tetragon.log" | |
tetragon.exportRateLimit | int | -1 | |
tetragon.extraArgs | object | {} | |
tetragon.extraEnv | list | [] | |
tetragon.extraVolumeMounts | list | [] | |
tetragon.fieldFilters | string | "{}" | |
tetragon.gops.address | string | "localhost" | The address at which to expose gops. |
tetragon.gops.port | int | 8118 | The port at which to expose gops. |
tetragon.grpc.address | string | "localhost:54321" | The address at which to expose gRPC. Examples: localhost:54321, unix:///var/run/tetragon/tetragon.sock |
tetragon.grpc.enabled | bool | true | Whether to enable exposing Tetragon gRPC. |
tetragon.hostProcPath | string | "/proc" | Location of the host proc filesystem in the runtime environment. If the runtime runs in the host, the path is /proc. Exceptions to this are environments like kind, where the runtime itself does not run on the host. |
tetragon.image.override | string | nil | |
tetragon.image.repository | string | "quay.io/cilium/tetragon" | |
tetragon.image.tag | string | "v1.0.0" | |
tetragon.processCacheSize | int | 65536 | |
tetragon.prometheus.address | string | "" | The address at which to expose metrics. Set it to "" to expose on all available interfaces. |
tetragon.prometheus.enabled | bool | true | Whether to enable exposing Tetragon metrics. |
tetragon.prometheus.metricsLabelFilter | string | "namespace,workload,pod,binary" | The labels to include with supporting metrics. The possible values are “namespace”, “workload”, “pod” and “binary”. |
tetragon.prometheus.port | int | 2112 | The port at which to expose metrics. |
tetragon.prometheus.serviceMonitor.enabled | bool | false | Whether to create a ‘ServiceMonitor’ resource targeting the tetragon pods. |
tetragon.prometheus.serviceMonitor.labelsOverride | object | {} | The set of labels to place on the ‘ServiceMonitor’ resource. |
tetragon.prometheus.serviceMonitor.scrapeInterval | string | "10s" | Interval at which metrics should be scraped. If not specified, Prometheus’ global scrape interval is used. |
tetragon.resources | object | {} | |
tetragon.securityContext.privileged | bool | true | |
tetragonOperator | object | {"affinity":{},"annotations":{},"extraLabels":{},"extraPodLabels":{},"extraVolumeMounts":[],"extraVolumes":[],"image":{"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"},"nodeSelector":{},"podAnnotations":{},"podInfo":{"enabled":false},"podSecurityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}},"priorityClassName":"","resources":{"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}},"securityContext":{},"serviceAccount":{"annotations":{},"create":true,"name":""},"skipCRDCreation":false,"strategy":{},"tolerations":[{"operator":"Exists"}]} | Tetragon Operator settings |
tetragonOperator.annotations | object | {} | Annotations for the Tetragon Operator Deployment. |
tetragonOperator.extraLabels | object | {} | Extra labels to be added on the Tetragon Operator Deployment. |
tetragonOperator.extraPodLabels | object | {} | Extra labels to be added on the Tetragon Operator Deployment Pods. |
tetragonOperator.extraVolumes | list | [] | Extra volumes for the Tetragon Operator Deployment. |
tetragonOperator.image | object | {"override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/tetragon-operator","tag":"v1.0.0"} | tetragon-operator image. |
tetragonOperator.nodeSelector | object | {} | Steer the Tetragon Operator Deployment Pod placement via nodeSelector, tolerations and affinity rules. |
tetragonOperator.podAnnotations | object | {} | Annotations for the Tetragon Operator Deployment Pods. |
tetragonOperator.podInfo.enabled | bool | false | Enables the PodInfo CRD and the controller that reconciles PodInfo custom resources. |
tetragonOperator.podSecurityContext | object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}} | securityContext for the Tetragon Operator Deployment Pod container. |
tetragonOperator.priorityClassName | string | "" | priorityClassName for the Tetragon Operator Deployment Pods. |
tetragonOperator.resources | object | {"limits":{"cpu":"500m","memory":"128Mi"},"requests":{"cpu":"10m","memory":"64Mi"}} | resources for the Tetragon Operator Deployment Pod container. |
tetragonOperator.securityContext | object | {} | securityContext for the Tetragon Operator Deployment Pods. |
tetragonOperator.serviceAccount | object | {"annotations":{},"create":true,"name":""} | tetragon-operator service account. |
tetragonOperator.strategy | object | {} | resources for the Tetragon Operator Deployment update strategy |
tolerations[0].operator | string | "Exists" | |
updateStrategy | object | {} |
Last modified November 30, 2023: helm: Updated Helm value doc (3fb78695)